@autumnsgrove/groveengine 0.4.3 → 0.4.6

package/README.md

@@ -104,6 +104,26 @@ RESEND_API_KEY=re_xxxxx
    npx wrangler pages deploy
    ```
 
+## Fonts
+
+GroveEngine includes self-hosted accessibility-focused fonts in `static/fonts/`. After installing the package, copy the fonts to your project's static directory:
+
+```bash
+# Copy fonts from node_modules to your static folder
+cp -r node_modules/@autumnsgrove/groveengine/static/fonts/ static/fonts/
+```
+
+**Included fonts:**
+- `alagard.ttf` - Pixel art style
+- `AtkinsonHyperlegible-Regular.ttf` - High legibility
+- `CozetteVector.ttf` - Bitmap style
+- `Cormorant-Regular.ttf` - Elegant serif
+- `Lexend-Regular.ttf` - Reading optimized
+- `OpenDyslexic-Regular.otf` - Dyslexia-friendly
+- `Quicksand-Regular.ttf` - Rounded sans-serif
+
+Your `@font-face` declarations should reference `/fonts/fontname.ttf`.
+
 ## Key Components
 
 ### Gutter System

package/dist/ui/components/ui/Toast.svelte

@@ -1,5 +1,5 @@
 <script lang="ts">
-	import { Toaster } from "sonner";
+	import { Toaster } from "svelte-sonner";
 
 	interface Props {
 		position?:

package/dist/ui/components/ui/toast.js

@@ -25,7 +25,7 @@ export const toast = {
     success: (message, options) => {
         sonnerToast.success(message, {
             duration: options?.duration || 3000,
-            description: options?.description
+            description: options?.description,
         });
     },
     /**
@@ -37,7 +37,7 @@ export const toast = {
     error: (message, options) => {
         sonnerToast.error(message, {
             duration: options?.duration || 4000,
-            description: options?.description
+            description: options?.description,
         });
     },
     /**
@@ -49,7 +49,7 @@ export const toast = {
     info: (message, options) => {
         sonnerToast.info(message, {
             duration: options?.duration || 3000,
-            description: options?.description
+            description: options?.description,
         });
     },
     /**
@@ -61,7 +61,7 @@ export const toast = {
     warning: (message, options) => {
         sonnerToast.warning(message, {
             duration: options?.duration || 3500,
-            description: options?.description
+            description: options?.description,
         });
     },
     /**
@@ -95,5 +95,5 @@ export const toast = {
      */
     dismissAll: () => {
         sonnerToast.dismiss();
-    }
+    },
 };

package/dist/utils/csrf.js

@@ -8,7 +8,7 @@
  * @returns {string} UUID v4 token
  */
 export function generateCSRFToken() {
-	return crypto.randomUUID();
+  return crypto.randomUUID();
 }
 
 /**
@@ -18,14 +18,14 @@ export function generateCSRFToken() {
  * @returns {boolean}
  */
 export function validateCSRFToken(request, sessionToken) {
-	if (!sessionToken) return false;
+  if (!sessionToken) return false;
 
-	const headerToken = request.headers.get('x-csrf-token');
-	const bodyToken = request.headers.get('csrf-token'); // fallback
+  const headerToken = request.headers.get("x-csrf-token");
+  const bodyToken = request.headers.get("csrf-token"); // fallback
 
-	if (!headerToken && !bodyToken) return false;
+  if (!headerToken && !bodyToken) return false;
 
-	return (headerToken === sessionToken) || (bodyToken === sessionToken);
+  return headerToken === sessionToken || bodyToken === sessionToken;
 }
 
 /**
@@ -34,39 +34,46 @@ export function validateCSRFToken(request, sessionToken) {
  * @returns {boolean}
  */
 export function validateCSRF(request) {
-	// Handle edge cases
-	if (!request || typeof request !== 'object') {
-		return false;
-	}
+  // Handle edge cases
+  if (!request || typeof request !== "object") {
+    return false;
+  }
 
-	if (!request.headers || typeof request.headers.get !== 'function') {
-		return false;
-	}
+  if (!request.headers || typeof request.headers.get !== "function") {
+    return false;
+  }
 
-	const origin = request.headers.get('origin');
-	const host = request.headers.get('host');
+  const origin = request.headers.get("origin");
+  const host = request.headers.get("host");
 
-	// Allow same-origin requests
-	if (origin) {
-		try {
-			const originUrl = new URL(origin);
+  // Allow same-origin requests
+  if (origin) {
+    try {
+      const originUrl = new URL(origin);
 
-			// Validate protocol (must be http or https)
-			if (!['http:', 'https:'].includes(originUrl.protocol)) {
-				return false;
-			}
+      // Validate protocol (must be http or https)
+      if (!["http:", "https:"].includes(originUrl.protocol)) {
+        return false;
+      }
 
-			const isLocalhost = originUrl.hostname === 'localhost' ||
-			                   originUrl.hostname === '127.0.0.1';
-			const hostMatches = host && originUrl.host === host;
+      const isLocalhost =
+        originUrl.hostname === "localhost" ||
+        originUrl.hostname === "127.0.0.1";
 
-			if (!isLocalhost && !hostMatches) {
-				return false;
-			}
-		} catch {
-			return false;
-		}
-	}
+      // Require HTTPS for non-localhost
+      if (!isLocalhost && originUrl.protocol !== "https:") {
+        return false;
+      }
 
-	return true;
+      const hostMatches = host && originUrl.host === host;
+
+      if (!isLocalhost && !hostMatches) {
+        return false;
+      }
+    } catch {
+      return false;
+    }
+  }
+
+  return true;
 }

package/dist/utils/sanitize.js

@@ -3,7 +3,7 @@
  * Uses isomorphic-dompurify for both server-side and client-side sanitization
  */
 
-import DOMPurify from 'isomorphic-dompurify';
+import DOMPurify from "isomorphic-dompurify";
 
 /**
  * Sanitize HTML content to prevent XSS attacks
@@ -11,20 +11,44 @@ import DOMPurify from 'isomorphic-dompurify';
  * @returns {string} - Sanitized HTML safe for rendering
  */
 export function sanitizeHTML(html) {
-	if (!html || typeof html !== 'string') {
-		return '';
-	}
+  if (!html || typeof html !== "string") {
+    return "";
+  }
 
-	const config = {
-		FORBID_TAGS: ['script', 'iframe', 'object', 'embed', 'link', 'style', 'form', 'input', 'button', 'base', 'meta'],
-		FORBID_ATTR: ['onerror', 'onload', 'onclick', 'onmouseover', 'onfocus', 'onblur', 'onchange', 'onsubmit', 'onmouseenter', 'onmouseleave'],
-		ALLOWED_URI_REGEXP: /^(?:(?:https?|mailto|tel):)/i,
-		ALLOW_DATA_ATTR: false,
-		KEEP_CONTENT: true,
-		SAFE_FOR_TEMPLATES: true
-	};
+  const config = {
+    FORBID_TAGS: [
+      "script",
+      "iframe",
+      "object",
+      "embed",
+      "link",
+      "style",
+      "form",
+      "input",
+      "button",
+      "base",
+      "meta",
+    ],
+    FORBID_ATTR: [
+      "onerror",
+      "onload",
+      "onclick",
+      "onmouseover",
+      "onfocus",
+      "onblur",
+      "onchange",
+      "onsubmit",
+      "onmouseenter",
+      "onmouseleave",
+      "style",
+    ],
+    ALLOWED_URI_REGEXP: /^(?:(?:https?|mailto|tel):)/i,
+    ALLOW_DATA_ATTR: false,
+    KEEP_CONTENT: true,
+    SAFE_FOR_TEMPLATES: true,
+  };
 
-	return DOMPurify.sanitize(html, config);
+  return DOMPurify.sanitize(html, config);
 }
 
 /**
@@ -33,30 +57,92 @@ export function sanitizeHTML(html) {
  * @returns {string} - Sanitized SVG safe for rendering
  */
 export function sanitizeSVG(svg) {
-	if (!svg || typeof svg !== 'string') {
-		return '';
-	}
+  if (!svg || typeof svg !== "string") {
+    return "";
+  }
 
-	return DOMPurify.sanitize(svg, {
-		USE_PROFILES: { svg: true, svgFilters: true },
-		ALLOWED_TAGS: [
-			'svg', 'g', 'path', 'circle', 'rect', 'line', 'polyline', 'polygon',
-			'ellipse', 'text', 'tspan', 'defs', 'marker', 'pattern', 'clipPath',
-			'mask', 'linearGradient', 'radialGradient', 'stop', 'use', 'symbol',
-			'title', 'desc'
-		],
-		ALLOWED_ATTR: [
-			'class', 'id', 'transform', 'fill', 'stroke', 'stroke-width',
-			'x', 'y', 'x1', 'y1', 'x2', 'y2', 'cx', 'cy', 'r', 'rx', 'ry',
-			'width', 'height', 'd', 'points', 'viewBox', 'xmlns', 'version',
-			'preserveAspectRatio', 'opacity', 'fill-opacity', 'stroke-opacity'
-		],
-		FORBID_TAGS: ['script', 'iframe', 'object', 'embed', 'link', 'style', 'foreignObject', 'image', 'a'],
-		FORBID_ATTR: ['onerror', 'onload', 'onclick', 'onmouseover', 'onfocus', 'onblur', 'style', 'href', 'xlink:href'],
-		ALLOWED_URI_REGEXP: /^$/,
-		KEEP_CONTENT: false,
-		SAFE_FOR_TEMPLATES: true
-	});
+  return DOMPurify.sanitize(svg, {
+    USE_PROFILES: { svg: true, svgFilters: true },
+    ALLOWED_TAGS: [
+      "svg",
+      "g",
+      "path",
+      "circle",
+      "rect",
+      "line",
+      "polyline",
+      "polygon",
+      "ellipse",
+      "text",
+      "tspan",
+      "defs",
+      "marker",
+      "pattern",
+      "clipPath",
+      "mask",
+      "linearGradient",
+      "radialGradient",
+      "stop",
+      "use",
+      "symbol",
+      "title",
+      "desc",
+    ],
+    ALLOWED_ATTR: [
+      "class",
+      "id",
+      "transform",
+      "fill",
+      "stroke",
+      "stroke-width",
+      "x",
+      "y",
+      "x1",
+      "y1",
+      "x2",
+      "y2",
+      "cx",
+      "cy",
+      "r",
+      "rx",
+      "ry",
+      "width",
+      "height",
+      "d",
+      "points",
+      "viewBox",
+      "xmlns",
+      "version",
+      "preserveAspectRatio",
+      "opacity",
+      "fill-opacity",
+      "stroke-opacity",
+    ],
+    FORBID_TAGS: [
+      "script",
+      "iframe",
+      "object",
+      "embed",
+      "link",
+      "style",
+      "foreignObject",
+      "image",
+      "a",
+    ],
+    FORBID_ATTR: [
+      "onerror",
+      "onload",
+      "onclick",
+      "onmouseover",
+      "onfocus",
+      "onblur",
+      "style",
+      "href",
+      "xlink:href",
+    ],
+    KEEP_CONTENT: false,
+    SAFE_FOR_TEMPLATES: true,
+  });
 }
 
 /**
@@ -66,30 +152,104 @@ export function sanitizeSVG(svg) {
  * @returns {string} - Sanitized HTML safe for rendering
  */
 export function sanitizeMarkdown(markdownHTML) {
-	if (!markdownHTML || typeof markdownHTML !== 'string') {
-		return '';
-	}
+  if (!markdownHTML || typeof markdownHTML !== "string") {
+    return "";
+  }
 
-	// For markdown, we allow a broader set of tags but still sanitize
-	return DOMPurify.sanitize(markdownHTML, {
-		ALLOWED_TAGS: [
-			'a', 'abbr', 'b', 'blockquote', 'br', 'code', 'dd', 'del', 'div', 'dl', 'dt',
-			'em', 'h1', 'h2', 'h3', 'h4', 'h5', 'h6', 'hr', 'i', 'img', 'ins', 'kbd',
-			'li', 'mark', 'ol', 'p', 'pre', 'q', 's', 'samp', 'small', 'span', 'strong',
-			'sub', 'sup', 'table', 'tbody', 'td', 'tfoot', 'th', 'thead', 'tr', 'u', 'ul',
-			'var', 'input', 'label'
-		],
-		ALLOWED_ATTR: [
-			'href', 'src', 'alt', 'title', 'class', 'id', 'target', 'rel',
-			'width', 'height', 'align', 'type', 'checked', 'disabled'
-		],
-		FORBID_TAGS: ['script', 'iframe', 'object', 'embed', 'link', 'style', 'form', 'button'],
-		FORBID_ATTR: ['onerror', 'onload', 'onclick', 'onmouseover', 'onfocus', 'onblur', 'onchange', 'onsubmit', 'style'],
-		ALLOWED_URI_REGEXP: /^(?:(?:https?|mailto|tel):)/i,
-		ALLOW_DATA_ATTR: false,
-		KEEP_CONTENT: true,
-		SAFE_FOR_TEMPLATES: true
-	});
+  // For markdown, we allow a broader set of tags but still sanitize
+  return DOMPurify.sanitize(markdownHTML, {
+    ALLOWED_TAGS: [
+      "a",
+      "abbr",
+      "b",
+      "blockquote",
+      "br",
+      "code",
+      "dd",
+      "del",
+      "div",
+      "dl",
+      "dt",
+      "em",
+      "h1",
+      "h2",
+      "h3",
+      "h4",
+      "h5",
+      "h6",
+      "hr",
+      "i",
+      "img",
+      "ins",
+      "kbd",
+      "li",
+      "mark",
+      "ol",
+      "p",
+      "pre",
+      "q",
+      "s",
+      "samp",
+      "small",
+      "span",
+      "strong",
+      "sub",
+      "sup",
+      "table",
+      "tbody",
+      "td",
+      "tfoot",
+      "th",
+      "thead",
+      "tr",
+      "u",
+      "ul",
+      "var",
+      "input",
+      "label",
+    ],
+    ALLOWED_ATTR: [
+      "href",
+      "src",
+      "alt",
+      "title",
+      "class",
+      "id",
+      "target",
+      "rel",
+      "width",
+      "height",
+      "align",
+      "type",
+      "checked",
+      "disabled",
+    ],
+    FORBID_TAGS: [
+      "script",
+      "iframe",
+      "object",
+      "embed",
+      "link",
+      "style",
+      "form",
+      "button",
+    ],
+    FORBID_ATTR: [
+      "onerror",
+      "onload",
+      "onclick",
+      "onmouseover",
+      "onfocus",
+      "onblur",
+      "onchange",
+      "onsubmit",
+      "style",
+    ],
+    ALLOWED_URI_REGEXP: /^(?:(?:https?|mailto|tel):)/i,
+    ALLOW_DATA_ATTR: false,
+    KEEP_CONTENT: true,
+    SAFE_FOR_TEMPLATES: true,
+  });
 }
 
 /**
@@ -98,30 +258,30 @@ export function sanitizeMarkdown(markdownHTML) {
  * @returns {string} - Sanitized URL (returns empty string if dangerous)
  */
 export function sanitizeURL(url) {
-	if (!url || typeof url !== 'string') {
-		return '';
-	}
+  if (!url || typeof url !== "string") {
+    return "";
+  }
 
-	// Allow relative URLs
-	if (url.startsWith('/') || url.startsWith('./') || url.startsWith('../')) {
-		return url;
-	}
+  // Allow relative URLs
+  if (url.startsWith("/") || url.startsWith("./") || url.startsWith("../")) {
+    return url;
+  }
 
-	// Check for dangerous protocols
-	const dangerous = /^(javascript|data|vbscript|file|about):/i;
-	if (dangerous.test(url)) {
-		return '';
-	}
+  // Check for dangerous protocols
+  const dangerous = /^(javascript|data|vbscript|file|about):/i;
+  if (dangerous.test(url)) {
+    return "";
+  }
 
-	// Only allow safe protocols
-	const safe = /^(https?|mailto|tel):/i;
-	if (!safe.test(url)) {
-		// If no protocol, assume relative
-		if (!url.includes(':')) {
-			return url;
-		}
-		return '';
-	}
+  // Only allow safe protocols
+  const safe = /^(https?|mailto|tel):/i;
+  if (!safe.test(url)) {
+    // If no protocol, assume relative
+    if (!url.includes(":")) {
+      return url;
+    }
+    return "";
+  }
 
-	return url;
+  return url;
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@autumnsgrove/groveengine",
-  "version": "0.4.3",
+  "version": "0.4.6",
   "description": "Multi-tenant blog engine for Grove Platform. Features gutter annotations, markdown editing, magic code auth, and Cloudflare Workers deployment.",
   "author": "AutumnsGrove",
   "license": "MIT",
@@ -127,6 +127,7 @@
   },
   "files": [
     "dist",
+    "static",
     "!dist/**/*.test.*"
   ],
   "scripts": {

package/static/favicon.png

@@ -0,0 +1 @@
+This is a placeholder. Please replace with an actual favicon.